Sandor Molnar created KNOX-3254:
-----------------------------------
Summary: Add configuration option to control Secure flag for pac4j
session store cookies
Key: KNOX-3254
URL: https://issues.apache.org/jira/browse/KNOX-3254
Project: Apache Knox
Issue Type: Improvement
Components: Server
Affects Versions: 2.1.0
Reporter: Sandor Molnar
Assignee: Sandor Molnar
Fix For: 3.0.0
h3. Problem
The {{KnoxSessionStore}} always sets the {{Secure}} flag on session cookies
regardless of whether the incoming request is HTTPS:
setCookieHeader.setSecure(true)
This behavior prevents testing scenarios that run over HTTP (e.g., local
development, integration tests, CI environments) where secure cookies are not
accepted by browsers or HTTP clients.
As a result, authentication flows using pac4j session cookies cannot be tested
properly in non-HTTPS environments.
----
h3. Proposed Improvement
Introduce a configurable parameter:
pac4j.session.store.secure.cookie
When present, this parameter explicitly controls whether the {{Secure}}
attribute is set on session cookies.
h3. New Behavior
h4. When configuration is NOT set
The Secure flag is determined from the request:
* HTTPS request → Secure = true
* HTTP request → Secure = false
h4. When configuration IS set
The parameter overrides the default logic:
* {{true}} → always Secure
* {{false}} → never Secure
h3. Backward Compatibility
⚠️ *Behavior change*
Previously:
* Secure flag was always set to {{true}}
Now (if not configured):
* Secure flag depends on request security
Implications:
* Deployments serving Knox over plain HTTP will now receive non-Secure cookies
* Deployments relying on always-Secure cookies should explicitly set:
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
